A curated compilation of extensive resources dedicated to bootkit and rootkit development.
Discover more awesome lists at sindresorhus/awesome.
- Web UEFI: UEFI Specifications
- Web UEFI: UEFI Specification Version 2.10 -> This Unified Extensible Firmware Interface (UEFI) Specification describes an interface between the operating system (OS) and the platform firmware.
- Web UEFI: UEFI Platform Initialization Specification 1.8 -> This specification defines the core code and services that are required for an implementation of the Pre-EFI Initialization (PEI) phase of the Platform Initialization (PI) specifications (hereafter referred to as the “PI Architecture”).
- Web OsDev: UEFI
- Web Wikipedia: Booting Sequence
- Youtube Video: BIOS and UEFI As Fast As Possible -> What fundamental things does a computer BIOS do, and what are the important differences between the traditional BIOS and the newer UEFI?
- Youtube Video: BIOS, CMOS, UEFI -> This video explains the difference between the BIOS, CMOS, and UEFI. It also explains what the purpose of the CMOS battery. What is the BIOS? What is UEFI? What is CMOS?
- Youtube Video: PC BIOS Settings -> BIOS / UEFI settings, including boot options, secure boot, enabling XMP memory profiles, and BIOS passwords. Also information on the differences between a legacy BIOS and a UEFI BIOS, and how to enter the BIOS.
- Youtube Video: ThatOsDev - EFI based Bootloader -> EFI Explained.
- Youtube Video: UEFIForum - Best Practices for UEFI Secure Boot Customization -> UEFI Secure Boot helps provide an effective defense against boot malware, but following today’s best practices in its implementation, deployment and configurability can help its increase its effectiveness against increasingly sophisticated exploits.
- Youtube Video: BlackHat USA 2009 - Attacking Intel Bios -> We demonstrate how to permanently reflash Intel BIOSes on the latest Intel Q45-based systems. In contrast to a previous work done by other researches a few months earlier, who targeted totally unprotected low-end BIOSes, we focus on how to permanently reflash one of the most secure BIOSes out there, that normally only allow a vendor's digitally signed firmware to be flashed.
- Youtube Video: REcon 2015 - Attacking and Defending BIOS
- Youtube Video: Defcon 22 - Summary of Attacks Against BIOS -> A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as secure boot, OS loaders, and SMM. Windows 8 Secure Boot provides an important protection against bootkits by enforcing a signature check on each boot component.
- Youtube Video: BlackHat USA 2017 - Betraying the BIOS, Where the Guardians of the BIOS are Failing -> For UEFI firmware, the barbarians are at the gate -- and the gate is open. On the one hand, well-intentioned researchers are increasingly active in the UEFI security space; on the other hand, so are attackers. Information about UEFI implants -- by HackingTeam and state-sponsored actors alike -- hints at the magnitude of the problem, but are these isolated incidents, or are they indicative of a more dire lapse in security?
- Presentation: BlackHat USA 2009 - Attacking Intel Bios -> We demonstrate how to permanently reflash Intel BIOSes on the latest Intel Q45-based systems. In contrast to a previous work done by other researches a few months earlier, who targeted totally unprotected low-end BIOSes, we focus on how to permanently reflash one of the most secure BIOSes out there, that normally only allow a vendor's digitally signed firmware to be flashed.
- Presentation: REcon 2015 - Attacking and Defending BIOS
- Presentation: Defcon 22 - Summary of Attacks Against BIOS -> A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as secure boot, OS loaders, and SMM. Windows 8 Secure Boot provides an important protection against bootkits by enforcing a signature check on each boot component.
- Presentation: BlackHat USA 2017 - Betraying the BIOS, Where the Guardians of the BIOS are Failing -> For UEFI firmware, the barbarians are at the gate -- and the gate is open. On the one hand, well-intentioned researchers are increasingly active in the UEFI security space; on the other hand, so are attackers. Information about UEFI implants -- by HackingTeam and state-sponsored actors alike -- hints at the magnitude of the problem, but are these isolated incidents, or are they indicative of a more dire lapse in security?
- Github: EDK II Project -> A modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications from www.uefi.org.
- Youtube Video: UEFIForum - Driver Development with EDKII -> The world of UEFI is unlike OS-based software ecosystems in several aspects and the difference can be daunting to a developer who is starting to write UEFI device drivers.
- Github: Getting Started with EDK II -> Steps for downloading EDK II from GitHub and compiling projects under various OS/compiler environments.
- Web Basic Input/Output: "Hello World" Quick Start with EDK II -> Setup the EDK on a system and configure it to build a basic "Hello, World" type program.
- Github: Getting Started Writing Simple Application with EDK II
- Github: VisualUEFI -> A Solution and set of Visual Studio Project Files to allow building the official EDK-II without the use of inf files and other build tools.
- Web CrowdStrike: Bootkit -> Definition, Prevention, and Removal
- Blog: Bootkitting Windows Sandbox
- Youtube Video: BlackHat USA 2013 - Detecting OSX and Windows bootkits with RDFU -> UEFI has recently become a very public target for rootkits and malware. To combat this new threat, we developed a Rootkit Detection Framework for UEFI ("RDFU") that incorporates a unified set of tools that address this problem across a wide spectrum of UEFI implementations.
- Youtube Video: Virus Bulletin 2014 - Bootkits past, present & future -> Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)?
- Youtube Video: BlackHat USA 2014 - Exposing Bootkits with BIOS Emulation -> Stealth and persistency are invaluable assets to an intruder. You cannot defend against what you cannot see. This talk discusses techniques to counter attempts at subverting modern security features, and regain control of compromised machines, by drilling down deep into internal structures of the operating system to battle the threat of bootkits.
- Youtube Video: Nullcon 2022 - A UEFI firmware bootkit in the wild -> Despite the advanced capabilities they provide, low-level implants such as bootkits and rootkits are only deployed by the most sophisticated attackers due to the risk they pose to the victim system’s stability. In recent years, Kaspersky has however observed a number of new low-level malware, such as MosaicRegressor, MoonBounce, and the object of this talk, CosmicStrand.
- Youtube Video: OffensiveCon18 - Alex Ionescu Advancing the State of UEFI Bootkits -> Persistence in the Age of PatchGuard and Windows 10.
- Presentation: BlackHat USA 2013 - Detecting OSX and Windows bootkits with RDFU -> UEFI has recently become a very public target for rootkits and malware. To combat this new threat, we developed a Rootkit Detection Framework for UEFI ("RDFU") that incorporates a unified set of tools that address this problem across a wide spectrum of UEFI implementations.
- Paper: Virus Bulletin 2014 - Bootkits past, present & future -> Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)?
- Paper: BlackHat USA 2014 - Exposing Bootkits with BIOS Emulation -> Stealth and persistency are invaluable assets to an intruder. You cannot defend against what you cannot see. This talk discusses techniques to counter attempts at subverting modern security features, and regain control of compromised machines, by drilling down deep into internal structures of the operating system to battle the threat of bootkits.
- Presentation: OffensiveCon18 - Alex Ionescu Advancing the State of UEFI Bootkits -> Persistence in the Age of PatchGuard and Windows 10.
- Web WeLiveSecurity: UEFI threats moving to the ESP -> Introducing ESPecter bootkit
- Web WeLiveSecurity: BlackLotus UEFI bootkit -> The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality
- Github: BlackLotus -> innovative UEFI Bootkit designed specifically for Windows. It incorporates a built-in Secure Boot bypass and Ring0/Kernel protection to safeguard against any attempts at removal. This software serves the purpose of functioning as an HTTP Loader.
- Github: EfiGuard -> Portable x64 UEFI bootkit that patches the Windows boot manager, boot loader and kernel at boot time in order to disable PatchGuard and Driver Signature Enforcement (DSE).
- Github: Bootlicker -> A generic UEFI bootkit used to achieve initial usermode execution.
- Github: DmaBackdoorBoot -> UEFI DXE driver intended for executing of kernel mode and user mode payloads under the Windows operating system by having an arbitrary code execution at early boot stage during DXE phase of the platform initialization.
- Github: RedLotus -> Windows UEFI Bootkit in Rust designed to facilitate the manual mapping of a driver manual mapper before the kernel (ntoskrnl.exe) is loaded, effectively bypassing Driver Signature Enforcement (DSE).
- Github: Bootkit Showcase -> Real-World Examples of Infrastructure Security Threats
- Github: SandboxBootkit -> Bootkit tested on Windows Sandbox to patch ntoskrnl.exe and disable DSE/PatchGuard.
- Github: Umap -> Windows UEFI bootkit that loads a generic driver manual mapper without using a UEFI runtime driver.
- Github: UEFI-Bootkit -> A small bootkit designed to use zero assembly.
- Github: PeiBackdoor -> This project implements early stage firmware backdoor for UEFI based firmware. It allows to execute arbitrary code written in C during Pre EFI Init (PEI) phase of Platform Initialization (PI).
- Github: Rovnix -> Volume Boot Record Bootkit.
- Github: Dreamboot -> UEFI bootkit.
- Presentation: UEFI Plugfest - Windows Boot Environment -> High-level description of Windows boot process and Windows UEFI services usage.
- Microsoft: Secure the Windows boot process -> Windows has many features to help protect you from malware, and it does an amazingly good job.
- Youtube Video: Boot Up with Confidence Windows 10/11 Secure Boot Demystified -> How secure boot works in Windows 10/11. Secure boot allows protection from "root-kit" attacks on both clients and servers.
- Youtube Video: Compare Windows 7 and Windows 8-10 boot process -> A comparison of the boot process of Windows 7 and Windows 8/10.
- Web RedTeamNotes: Internals
- Web CodeMachine: Windows kernel data structures -> Catalog of key Windows kernel data structures.
- Web Vergilius: Windows kernel -> Take a look into the depths of Windows kernels and reveal more than 60000 undocumented structures.
- Web Geoff Chappell: Windows kernel
- Microsoft: Get started with drivers on Windows -> General overview of Windows components, types of device drivers used in Windows, goals of Windows device drivers, generic sample device drivers.
- Microsoft: Kernel-Mode Driver Architecture Design Guide -> This section includes general concepts to help you understand kernel-mode programming and describes specific techniques of kernel programming.
- Github: Windows driver samples -> This repo contains driver samples prepared for use with Microsoft Visual Studio and the Windows Driver Kit (WDK). It contains both Universal Windows Driver and desktop-only driver samples.
- Microsoft: Windows Driver Kit (WDK) -> This is used to develop, test, and deploy Windows Drivers.
- Microsoft: DebugView -> It is an application that lets you monitor debug output on your local system, or any computer on the network that you can reach via TCP/IP. It is capable of displaying both kernel-mode and Win32 debug output, so you don't need a debugger to catch the debug output your applications or device drivers generate, nor do you need to modify your applications or drivers to use non-standard debug output APIs.
- Microsoft: Write a Hello World Windows Driver (KMDF) -> This article describes how to write a small Universal Windows driver using Kernel-Mode Driver Framework (KMDF) and then deploy and install your driver on a separate computer.
- Microsoft: Development & Demo of Windows Kernel Driver -> The Kernel mode driver can run in highest privileged ring 0. It means the kernel driver mostly have highest level of permissions (like kernel) while executing.
- Microsoft: DriverEntry for WDF Drivers routine -> DriverEntry is the first driver-supplied routine that is called after a driver is loaded. It is responsible for initializing the driver.
- Microsoft: DriverUnload callback function -> The Unload routine performs any operations that are necessary before the system unloads the driver.
- Microsoft: Windows driver documentation -> The official Windows Driver Kit documentation sources.
- GitHub: EDK II Driver Writer's Guide
- Course ZeroPointSecurity: Offensive Driver Development -> Learn how to set up a development testing environment for writing Windows kernel-mode drivers using Hyper-V, WinDbg, and Visual Studio. Cover the basic anatomy of a driver from loading and unloading, I/O control codes, interaction from userland, and kernel debugging.
- Web Windows-Internals: Secure Kernel Patch Guard -> SKPG Initialization
- Web Windows-Internals: Secure Kernel Patch Guard -> SKPG Extents
- Youtube Video: RSA Conference - Windows Kernel Patch Protection -> This session will look at a critical flaw in the design of Windows Kernel Patch Protection (PatchGuard), a system used to prevent modification to kernel code and other critical structure. The design of PatchGuard will be discussed, along with the design of an attack which uses the flaw in PatchGuard to disable the PatchGuard response entirely.
- Web Uninformed: Bypassing Patchguard on Windows
- GitHub: PatchGuardBypass -> Bypassing PatchGuard on modern x64 systems.
- Web CyberArk: GhostHook -> Bypassing PatchGuard with Processor Trace Based Hooking.
- GitHub: InfinityHook -> Kernel driver that will hook system calls.
- Blog: New bypass disclosed in Microsoft PatchGuard (KPP) -> After GhostHook and InfinityHook, we now have ByePg.
- Blog: ByePg -> Defeating Patchguard Using Exception - Hooking.
- Github: Shark -> Turn off PatchGuard in real time for win7 (7600) ~ later.
- Github: UPGDSED -> Universal PatchGuard and Driver Signature Enforcement Disable.
- Github: PgResarch -> PatchGuard Research.
- Web Kaspersky: What is a Rootkit? -> Definition and Explanation
- Web CyberArk: Fantastic Rootkits -> Where to find them part 1
- Web CyberArk: Fantastic Rootkits -> Where to find them part 2
- Web CyberArk: Fantastic Rootkits -> Where to find them part 3 - ARM Edition
- Web JumpSec Labs: A Defender's Guide For Rootkit Detection
- Web OpenSecurityTraining: Rootkits -> What they are and how to find them part 1
- Web OpenSecurityTraining: Rootkits -> What they are and how to find them part 2
- Web OpenSecurityTraining: Rootkits -> What they are and how to find them part 3
- Web Gmer: Gmer -> It is an application that detects and removes rootkits.
- Youtube Video: GuidedHacking - How to make a Kernel Driver -> This tutorial series will teach you everything you need to make a kernel driver on Windows.
- Youtube Video: Sourcefire - Defense via Hook Detection -> Since both kernel-mode and user-mode rootkits use hooking as a vehicle for hiding their presence on a system, it seems only natural that looking for system hooks could itself be used to identify the presence of a rootkit on a system.
- Youtube Video: Bsides Lisbon 2022 - Windows kernel rootkits for red teams -> In this talk, the focus is on key aspects of developing within the kernel environment, with a particular emphasis on considerations for creating malware targeting the Windows kernel.
- Youtube Video: BlackHat USA 2020 - Demystifying Modern Windows Rootkits -> This talk will demystify the process of writing a rootkit, moving past theory and instead walking the audience through the process of going from a driver that says "Hello World" to a driver that abuses never-before-seen hooking methods to control the user-mode network stack.
- Youtube Video: BlackHat USA 2020 - The Art of Emulating Kernel Rootkits -> Kernel rootkit is considered the most dangerous malware that may infect computers. Operating at ring 0, the highest privilege level in the system, this super malware has unrestricted power to control the whole machine, thus can defeat all the defensive and monitoring mechanisms.
- Presentation: Bsides Lisbon 2022 - Windows kernel rootkits for red teams -> In this talk, the focus is on key aspects of developing within the kernel environment, with a particular emphasis on considerations for creating malware targeting the Windows kernel.
- Presentation: BlackHat USA 2020 - Demystifying Modern Windows Rootkits -> This talk will demystify the process of writing a rootkit, moving past theory and instead walking the audience through the process of going from a driver that says "Hello World" to a driver that abuses never-before-seen hooking methods to control the user-mode network stack.
- Github: Nidhogg -> Multi-functional rootkit for red teams.
- Github: Black Angel -> Windows 11/10 x64 kernel mode rootkit.
- Github: Cronos -> Windows 10/11 x64 ring 0 rootkit
- Github: Spectre -> Windows kernel-mode rootkit that abuses legitimate communication channels to control a machine. Hiding Processes, token manipulation , hiding tcp network connections by port...
- Blog: Eagle -> Windows Kernel Rookit in Rust.
- Github: Eagle -> Windows Kernel Rookit in Rust.
- Github: ZwHawk -> A kernel rootkit with remote command and control interface for windows.
- Github: www.rootkit.com mirror -> www.rootkit.com users section mirror, sql database dump, and a few other files/rootkits.
- Github: TDL (Turla Driver Loader) -> Driver loader for bypassing Windows x64 Driver Signature Enforcement.
- Github: Hooking) -> Resources About Hooking. For All Platforms. Currently 300+ Tools And 600+ Posts.
- Web RedTeamNotes: Manipulating ActiveProcessLinks to Hide Processes in Userland
- Youtube Video: Sourcefire - Direct Kernel Object Manipulation
- Presentation: BlackHat USA 2004 - DKOM (Direct Kernel Object Manipulation)
- Web NixHacker: Understanding Windows DKOM techniques -> EPROCESS
- Blog: Direct Kernel Object Manipulation and Processes -> DKOM is one of the methods commonly used and implemented by Rootkits, in order to remain undetected, since this the main purpose of a roottkit. To be able to access Kernel-Mode code and data structures without detection from security programs or tools used by security analysts and researchers.
- Github: DKOM -> Windows 10 Direct Kernel Object Manipulation.
- Github: Win_Rootkit -> A kernel-mode rootkit with remote control that utilizes C++ Runtime in it's driver. Uses DKOM and IRP Hooks.
- Github: HideProcess -> A basic Direct Kernel Object Manipulation rootkit that removes a process from the EPROCESS list, hiding it from the Task Manager.
- Github: HideDriver -> Using DKOM to hide kernel mode drivers.
- Github: Rootkit DKOM -> Direct Kernel Object Manipulationon _EPROCESS internal structure.
- Web RedTeamNotes: Interrupt Descriptor Table (IDT)
- Web MIT: Interrupt Descriptor Table -> The interrupt descriptor table (IDT) associates each interrupt or exception identifier with a descriptor for the instructions that service the associated event. Like the GDT and LDTs, the IDT is an array of 8-byte descriptors. Unlike the GDT and LDTs, the first entry of the IDT may contain a descriptor.
- Youtube Video OpenSecurityTraining: Interrupt Descriptor Table
- Github: Windows x86 Interrupt Descriptor Table (IDT) hooking driver
- Github: IDTHOOK
- Github: x64-IDT-HOOK
- Github: IDTHook_X64 - > Hook IDT vector 0xb2 to detect SCI in 64bit windows.
- Web RedTeamNotes: System Service Descriptor Table (SSDT)
- Web Infosec: Hooking the System Service Dispatch Table (SSDT) -> In this article we'll present how we can hook the System Service Dispatch Table, but first we have to establish what the SSDT actually is and how it is used by the operating system.
- Web AppsVoid: SSDT View -> SSDT View is a Windows OS utility designed to list the most significant aspects of the System Service Descriptor Table (SSDT) including system service indexes, system service addresses, system service names and the module name which corresponds to the system service address.
- Github: MasterHide -> A x64 Windows Driver created to monitor/hide or block access from processes, objects, files ( whatever you want, your imagination is the limit here ) using SSDT/Shadow SSDT hooks.
- Github: TitanHide -> A driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions.
- Github: STrace ->A DTrace on windows syscall hook reimplementation. Think of this like a patchguard compatible SSDT hook, but without hacks.
- Windows Internals - Russinovich, M., Solomon, D., Ionescu, A. & Yosifovich, P. - Microsoft Press. - (Parte 1: 50€, Parte 2: 55€) -> Architecture and core internals of Windows.
- Beyond BIOS: Developing with the Unified Extensible Firmware Interface - Marisetty, S., Rothman, M., & Zimmer, V. - Intel Press. - (66,55€) -> This book provides an overview of modern boot firmware, including the Unified Extensible Firmware Interface (UEFI) and its associated EFI Developer Kit II (EDKII) firmware.
- Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats - Matrosov, A., Rodionov, E., & Bratus, S. - No Starch Press. - (40€) -> Rootkits and Bootkits will teach you how to understand and counter sophisticated, advanced threats buried deep in a machine’s boot process or UEFI firmware.
- The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System - Blunden, B. - Jones & Bartlett Learning. - (85€) -> While forensic analysis has proven to be a valuable investigative tool in the field of computer security, utilizing anti-forensic technology makes it possible to maintain a covert operational foothold for extended periods, even in a high-security environment. Adopting an approach that favors full disclosure, the updated Second Edition of The Rootkit Arsenal presents the most accessible, timely, and complete coverage of forensic countermeasures.
- Rootkits: Subverting the Windows Kernel - Hoglund, G., & Butler, J. - Addison-Wesley. - (50€) -> It's imperative that everybody working in the field of cyber-security read this book to understand the growing threat of rootkits.
- Github: Advanced Windows exploit development resources -> Some resources, links, books, and papers related to mostly Windows Internals and anything Windows kernel related.
- Github: Awesome Windows Kernel Security Development -> Some resources related to Windows kernel development.
If you wish to acquire this knowledge, along with other topics related to malware analysis, reversing, and bug hunting, under the guidance of top-notch professionals, do not hesitate to get in touch with the institution where I am an instructor, offering a master's degree (Máster en Reversing, Análisis de Malware y Bug Hunting) in this field.
